From a4a6b7bd9e35d6122f7e1194d9ca757070fbe547 Mon Sep 17 00:00:00 2001
From: Paul Higinbotham <paulhi@microsoft.com>
Date: Thu, 12 Aug 2021 14:49:34 -0700
Subject: [PATCH] Disallow all COM for AppLocker system lock down

---
 .../security/wldpNativeMethods.cs                         | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/System.Management.Automation/security/wldpNativeMethods.cs b/src/System.Management.Automation/security/wldpNativeMethods.cs
index f8a78f12a9a..02cbf8f1815 100644
--- a/src/System.Management.Automation/security/wldpNativeMethods.cs
+++ b/src/System.Management.Automation/security/wldpNativeMethods.cs
@@ -391,6 +391,14 @@ private static SystemEnforcementMode GetDebugLockdownPolicy(string path)
         /// <returns>True if the COM object is allowed, False otherwise.</returns>
         internal static bool IsClassInApprovedList(Guid clsid)
         {
+            // This method is called only if there is an AppLocker and/or WLDP system wide lock down enforcement policy.
+            if (s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None) != SystemEnforcementMode.Enforce)
+            {
+                // No WLDP policy implies only AppLocker policy enforcement. Disallow all COM object instantiation.
+                return false;
+            }
+
+            // WLDP policy must be in system wide enforcement, look up COM Id in WLDP approval list.
             try
             {
                 WLDP_HOST_INFORMATION hostInformation = new WLDP_HOST_INFORMATION();